Custommers using Fire Bug firefox add-on to modify value sent to payment gateway

[JosefPrado]

Hi Team,

I've noticed that we have some costummers taking advantage of the Fire Bug plug-in to modify the values sent to payment gateway after the cart has been finalized and before click on finish in order to change the value to a value far lower than the cart.

This is very annoying because for instance, there is no check back to the value after the payment is made, so if the user made a R$ 19,90 purchase, change it to R$ 0,02, and click on finish.

The payment gateway (PagSeguro for instance) receive the R$ 0,02 order wich it consider normal, and process it, returning to Prestashop that the order number xxxx was paid, and prestashop automaticaly set it as paid, since there is no check on the values processed.

Result: We se an order of R$ 19,90 as paid, ut in fact, we received R$ 0,02 for it.

I understand that Fire Bug is a great tool to developers, but since its being used by some user to fraud prstashop, I would like to know if there is some way to make a setting inside prestahop BAckend where we can avoid user with Fire Bug enabled to place orders.

Regards,

Josef

[olea]

Hi Josef

Which version of prestashop do you use ?
Do you see also this kind of issue of the payment module provided in the nominal Presta or only with an external payment module ?

[JosefPrado]

Hi,

I'm using 1.1.5.

I just made the test and man, this works...

You place all your order and just before click on the last button (that will send you to the payment gateway), just open Fire Bug, change the hidden values that are passed to the payment gateway, and voila, the value is reduced to the ammount you want

I'm testing now in my other store wich has SSL, to see if the can be prevented.

Do a test in your store, and see if this works for you also.

Regards,

Josef

[JosefPrado]

Just confirming,

I made on a SSL enabled store and the error persists.

Courious is that the Item name seems encrypted in the post data, but the value is clear text and can be modifyed...

This is a serious bug...

Regards,

Josef

[Burhan BVK]

This is not a bug in Prestashop, it is a bug in your payment module. You should contact whoever supports that module.

[JosefPrado]

This is not a bug in Prestashop, it is a bug in your payment module. You should contact whoever supports that module.

I dont know if this is good or bad news

Anyway thanks for the answer. I just contacted the module developer and I'm waiting for the answer.

I will let you guys know as soon as I receive the reply.

Regards,

Josef

[mytheory.]

Any more news on this? Should I be worried or was this indeed a bug with your payment module and not PS?

[gemmo]

i have tested to change the currency in the Bank transfer module included in the download package of 1.3 ... i changed from sek to dollars and dollars is registered in the backoffice.... hm EDIT using firebug